diff options
author | Daiki Ueno <ueno@gnu.org> | 2021-09-21 08:07:25 +0200 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2022-05-04 10:11:34 +0200 |
commit | f3547866a15e4386a92107fa95892e6a9f60916f (patch) | |
tree | 9e67aa0923b92c5e60ba77f26903c8454cbb999b /lib/includes | |
parent | bc529aab95429c2a979cdbc7b17572304d3ba43c (diff) | |
download | gnutls-f3547866a15e4386a92107fa95892e6a9f60916f.tar.gz |
tls: add flag to disable session ticket in TLS 1.2
The existing GNUTLS_NO_TICKETS flag affects all versions of TLS, where
PFS is assured in TLS 1.3, while it is not in TLS 1.2. This adds a
new flag GNUTLS_NO_TICKETS_TLS12 to allow applications to disable
session tickets only in TLS 1.2.
As the only means of resumption in TLS 1.3 is using session tickets,
we could repurpose the GNUTLS_NO_TICKETS flag make it no-op in TLS
1.3. However it would break backward compatibility, so we defer it to
the next major release.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'lib/includes')
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index f8c0faff96..f7fc5d114a 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -454,6 +454,7 @@ typedef enum { * This is not enabled by default as early data has weaker security properties than other data. Since 3.6.5. * @GNUTLS_FORCE_CLIENT_CERT: When in client side and only a single cert is specified, send that certificate irrespective of the issuers expected by the server. Since 3.5.0. * @GNUTLS_NO_TICKETS: Flag to indicate that the session should not use resumption with session tickets. + * @GNUTLS_NO_TICKETS_TLS12: Flag to indicate that the session should not use resumption with session tickets. This flag only has effect if TLS 1.2 is used. * @GNUTLS_KEY_SHARE_TOP3: Generate key shares for the top-3 different groups which are enabled. * That is, as each group is associated with a key type (EC, finite field, x25519), generate * three keys using %GNUTLS_PK_DH, %GNUTLS_PK_EC, %GNUTLS_PK_ECDH_X25519 if all of them are enabled. @@ -517,7 +518,8 @@ typedef enum { GNUTLS_AUTO_REAUTH = (1<<19), GNUTLS_ENABLE_EARLY_DATA = (1<<20), GNUTLS_NO_AUTO_SEND_TICKET = (1<<21), - GNUTLS_NO_END_OF_EARLY_DATA = (1<<22) + GNUTLS_NO_END_OF_EARLY_DATA = (1<<22), + GNUTLS_NO_TICKETS_TLS12 = (1<<23) } gnutls_init_flags_t; /* compatibility defines (previous versions of gnutls |